Tuesday, October 6, 2015

The Internet has undoubtedly made knowledge ubiquitous, but along with this it has also generated a lot of vulnerabilities at the same time. There are a lot of malicious users who are in wake to find out the loopholes in your websites so as to attack. On the top now we have SQL injections which are the most effective and invasive way to attack.

You can be a victim, if...

There are a lot of SQL attacks which are being reported daily and there are ample lot of websites which are dependent on data driven designs in order to come up with dynamic content for their readers. As all these dynamic designs are build on MySQL or any other database which is dependent on SQL, wherefore this makes all of them exposed to the danger.

Getting Acquainted

SQL injection attacks directly hit the database, therefore you need to have quite a good grasp or preliminary knowledge about the same before you start away with it. If you are starting the process you can certainly go for some learning tutorials for beginners which can tell you all that you need to know.

What are we discussing here?

In this article, we will discuss how to attack a website using SQL injection. Moreover, I am writing this article just to know how these attacks make their way to their website and how can you ensure your safety from them. One must not forget that performing a SQL injection attack is circumventing the law and as we know flouting the rules has its own serious repercussions (so be cautions while performing). This article is a step towards ethical hacking.

Thinking like a hacker: Step wise analysis

* First they ByPass the Logins
* The second step is to access the secret data
* Then they modify the content of the website
* The last step is to shut down their database My SQL server

This was a succinct summary, we will now discuss this in detail.

Step 1: Searching for exposed/ vulnerable websites:

Google being the king of the search engines works as the holy grail for hackers. In order to find the list of vulnerable websites hacker adopt Google's Dork list. Google dork programmed in a such a way that this it is used for finding hackable websites which uses the power of Google searching. In order to refine your search one can use a lot of tricks, but the best trick is to use “inurl:” command in order to find the websites which are prone to danger.

For example you can type in:
inurl:index.php?id=
inurl:article.php?id=

Searching :
1.Copy any of these commands and paste in the search bar of Google.
2.Google will fetch you a list of web sites.
3.The you need to visit each of the websites to check their vulnerability factor.

Gauging the Vulnerability:

In order to check whether the website is vulnerable or not ,add a single inverted comma (‘) at the end of websites url and then press enter. (There should be no space between single quotes and number.)

Let us suppose you got an error message on the 8th number, then the number of columns will be “n-1”, i.e. here it will be 7.

This is not an infallible method, thus if this method is not working ,then you can add “-” at the end of this statement

For instance:

http://www.hackable.com/index.php?id=2 order by 1--

Step 4: Knowing the Vulnerable columns:

The hackers use the “union select columns_sequence” in order to find out the columns which are prone to danger. Now in this step the “order by n” statement is replaced with this one. After this the id value is swapped with a negative number, i.e. the id = -2, but there might be no need of doing so on some websites.

You also need to change columns_sequence from number from 1 to x-1 without separating them with commas.

For eg:

Let us suppose that the number of columns is 7 ,then the query will be

Step 6: Finding the Table Name
Finding the table name depends on the version of the SQL. So, from the aforementioned query if you have received version 5 or above. Then you need to follow the following steps. Firstly, you need to replace numeral 3 with

“group_concat(table_name) and add the “from information_schema.tables where table_schema=database()”

You need to use the above query like this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--

Using this query will fetch you a list of the names of tables. Then after you need to find a table which is related to user or admin.

After this you need to pick the “admin”table.

If the site is of version 4 or of any other, then you need to guess the names of the tables. This is why it is difficult to perform SQL injection with version 4.

Step 7: Searching the Column Name

In order to find the name of the column you need to replace “group_concat(table_name) with “group_concat(column_name)”

and then add “FROM information_schema.columns WHERE table_name=mysqlchar– in the place of “from information_schema.tables where table_schema=database()–”

This step is a crucial one, as you need to change the table name to a string type named as MySql CHAR() and then write it in place of mysqlchar.

Running this will fetch us the list of all the table names:
admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

Now write group_concat(columnname,0x3a,anothercolumnname) in place of group_concat(column_name).

Instead of listed columns you need to write down Columname and anothercolumname also.

Then you need to write “from table_name” in place of “from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)”.